OT: Quickie Sophos workstation reporting script

Jason Balicki kodak at FRONTIERHOMEMORTGAGE.COM
Fri Nov 19 21:58:10 GMT 2004


If you're using Sophos on your MailScanner box, chances
are you also have Sophos on your Windows workstations.

I've made a quickie script that retrieves the logs,
does a little bit of massaging them and reports back
to you via email about the state of virus scanning
on your network.

I know Sophos has their own tools, but I wanted
something I could control.  Plus, writing this
seemed easier than the instructions they had for
setting up emreporting, and I'm lazy.  I decided
to share it for the usual reasons...

This script makes some assumptions:

1)  You're running Samba and you use wins (I pull
the list of machines directly from the wins.dat,
then compare the list to the smbpasswd file (to
weed out things like printers and such.)

2)  You have a "sophos" user that has sufficient
rights on every workstation.  This is a requirement
of Enterprise Library as well.  My requirement is
that the user be the same on each workstation (this
is NOT required by EM.)

3)  You have all NT class machines and Sophos is
installed to the default location on all machines.

4)  You have a share named c$ available on all
workstations.  I plan on sharing out the log
directory read only to a throw away user
instead of the Sophos user, but this was quick
and dirty.

5)  You have the ability to mount smb shares.

This is a really small and easily adaptable script,
so even if you don't meet the requirements above,
you'll probably be able to change it easily for
your circumstances.

I know this isn't all that complex, but I
wasted some time on it and I thought other
MailScanner/Sophos users might be interested.

Sorry if it's too OT.

Also, if someone has already done this better
with a 3 line perl script, I don't want to
hear about it. :)

--J(K)

---cut here----
#!/bin/sh
# sophos_report
# written Jason Balicki
# just a quickie to get the Sophos logs from the workstations,
# and check them to see if Sophos has detected any viruses.
#
# last updated: 11-19-2004
WINSFILE=/var/cache/samba/wins.dat
DATE=`date +%m%d%y%h%m%s`
TEMPFILE=/tmp/sophoslog.$DATE
TEMPDIR=/tmp/sophosdir.$DATE
TEMPREPORT=/tmp/sophosreport.$DATE
# you will need to change this bit, obviously
SMBUSER=yoursophosuser
SMBPASS=yoursophospass
MAILTO=root
MOUNTPOINT=/mnt/sophoslogs
# your log location may differ.  You'll have to add a bit of logic
# if you've got older 9x (or other) clients.  Mine are all XP or 2k
LOGLOCATION=Program\ Files/Sophos\ Sweep\ for\ NT/Reports/Daily.REP
HASVIRUS=0
HASERROR=0
HOSTCOUNT=0
HOSTCOUNTMOUNTED=0
# you can pipe the following grep line through one or more grep -v to get
rid of
# wins listings you know you don't need, like other linux boxes or
# printers or whatnot.
grep \#00 $WINSFILE | cut -d " " -f 1 | cut -d \# -f 1 | cut -d \" -f 2  >
$TEMPFILE
mkdir $TEMPDIR
echo Sophos report for `date` > $TEMPREPORT
echo >> $TEMPREPORT
echo >> $TEMPREPORT
for HOST in `cat $TEMPFILE`; do
        if (grep -i $HOST /etc/samba/smbpasswd > /dev/null 2>&1); then
                echo $HOST >> $TEMPFILE.indomain
                HOSTCOUNT=`expr ${HOSTCOUNT} + 1`;
        else
                echo $HOST is not listed in domain. >> $TEMPREPORT
        fi;
done
echo >> $TEMPREPORT
echo >> $TEMPREPORT
for HOST in `cat $TEMPFILE.indomain`; do
        TARGET=//$HOST/c\$
        if (mount -t smbfs -o username=$SMBUSER -o password=$SMBPASS $TARGET
$MOUNTPOINT > /dev/null 2>&1); then
                if [ -e "$MOUNTPOINT/$LOGLOCATION" ]; then
                        cp "$MOUNTPOINT/$LOGLOCATION"
$TEMPDIR/$HOST.Daily.log >/dev/null 2>&1
                        HOSTCOUNTMOUNTED=`expr ${HOSTCOUNTMOUNTED} + 1`;
                else
                        echo WARNING: $HOST mounted, but no daily log found,
check Sophos installation >> $TEMPREPORT
                fi
                if (umount $MOUNTPOINT);then
                        true
                else
                        echo WARNING: unable to unmount $TARGET, you might
want to fix this. >> $TEMPREPORT
                fi
        else
                echo INFO: could not mount $TARGET, moving on.
>>$TEMPREPORT;
        fi;
done
echo >> $TEMPREPORT
echo >> $TEMPREPORT
echo ${HOSTCOUNTMOUNTED} of ${HOSTCOUNT} hosts in domain had retrievable
logs. >> $TEMPREPORT
echo >> $TEMPREPORT
echo >> $TEMPREPORT
echo Virus summary: >> $TEMPREPORT
for LOG in `ls $TEMPDIR`; do
        HN=`echo $LOG | cut -d "." -f 1`;
        if (grep Virus $TEMPDIR/$LOG | grep  detected>/dev/null 2>&1);then
                echo Found one or more viruses in $HN >> $TEMPREPORT
                HASVIRUS=1
        fi;
done
if [ $HASVIRUS -eq 0 ]; then
        echo Sophos reports no viruses found on any machine scanned. >>
$TEMPREPORT
fi
echo >> $TEMPREPORT
echo >> $TEMPREPORT
echo Error summary: >> $TEMPREPORT
for LOG in `ls $TEMPDIR`; do
        HN=`echo $LOG | cut -d "." -f 1`;
        if (grep Error: $TEMPDIR/$LOG >/dev/null 2>&1);then
                echo Found one or more errors in $HN >> $TEMPREPORT
                HASERROR=1
        fi;
done
if [ $HASERROR -eq 0 ]; then
        echo Sophos reports no errors found on any machine scanned. >>
$TEMPREPORT
fi
echo >> $TEMPREPORT
echo >> $TEMPREPORT
echo Report Details: >> $TEMPREPORT;
echo >> $TEMPREPORT
echo >> $TEMPREPORT
for LOG in `ls $TEMPDIR`; do
        HN=`echo $LOG | cut -d "." -f 1`;
        echo $LOG: >>$TEMPREPORT;
        grep Info: $TEMPDIR/$LOG | grep started >> $TEMPREPORT;
        grep Version $TEMPDIR/$LOG >> $TEMPREPORT;
        grep Includes $TEMPDIR/$LOG | grep detection >> $TEMPREPORT;
        if (grep Virus $TEMPDIR/$LOG | grep detected >> $TEMPREPORT);then
                true
        else
                echo -n No viruses detected by Sophos on\ >>$TEMPREPORT
                echo $HN >> $TEMPREPORT
        fi;
        if (grep Error: $TEMPDIR/$LOG >> $TEMPREPORT);then
                true
        else
                echo -n No errors detected by Sophos on\ >>$TEMPREPORT
                echo $HN >> $TEMPREPORT
        fi;
        echo >> $TEMPREPORT;
done
mail -s "Virus report" $MAILTO < $TEMPREPORT
if (df | grep $MOUNTPOINT > /dev/null 2>&1); then
        echo WARNING: it appears $MOUNTPOINT is still mounted. >>$TEMPREPORT
fi
#clean up /tmp
rm -rf $TEMPFILE $TEMPDIR $TEMPREPORT

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list